Article Content
Article Number | 000019330 |
Applies To | RSA ACE/Server RADIUS Cisco Router |
Issue | Use ACE/Server RADIUS to control enable access to Cisco Router Not able to give enable access privileges to users authenticating via RADIUS |
Cause | The proper attributes have not been configured in the users profile on ACE/Server |
Resolution | On the ACE/Server set the service-type (attribute 6) value in the users profile to login (or administrative-user). With just that setup you get privilege based on login or administrative-user, defined in the profile, of 1 for user or 15 for administrative-user. Adding the 9,1 av-pair allows you to set the permission of the user regardless of what the service-type value is set to, so for example if I have a user profile defined the Service-Type (attribute 6) set to login and 9,1 av-pair set to shell:priv-lvl=15 then the user gets enable privilege. The service-type must be defined in order for anything to work with aaa auth exec defined in the cisco config. This configuration would be enabled using this command on the router: aaa authorization exec default radius On the ACE/Server administration interface: Profile--> Add Profile Name the profile appropriately Add the attribute(s): 1. Service-Type This attribute can be set to login (Regular User) or administrative-user 2. For further granularity of enable privileges add: Vendor-Specific Set the value to: 9 1 "shell:priv-lvl=15" (the 15 can range from 1 to 15 depending on your router enable privilege config) |
Legacy Article ID | a7896 |